mirror of
https://github.com/RGBCube/serenity
synced 2025-07-25 19:17:44 +00:00
LibWeb: Fix use-after-free in CSSNamespaceRule parsing
Holding the `prefix` as a StringView meant it pointed at string data held by `token`. `token` gets reassigned shortly afterwards, meaning `prefix` would hold invalid character data.
This commit is contained in:
parent
5042c903be
commit
6c2ed0f51b
3 changed files with 6 additions and 6 deletions
|
@ -14,7 +14,7 @@ class CSSNamespaceRule final : public CSSRule {
|
|||
WEB_PLATFORM_OBJECT(CSSNamespaceRule, CSSRule);
|
||||
|
||||
public:
|
||||
static WebIDL::ExceptionOr<JS::NonnullGCPtr<CSSNamespaceRule>> create(JS::Realm&, Optional<StringView> prefix, StringView namespace_uri);
|
||||
static WebIDL::ExceptionOr<JS::NonnullGCPtr<CSSNamespaceRule>> create(JS::Realm&, Optional<DeprecatedString> prefix, StringView namespace_uri);
|
||||
|
||||
virtual ~CSSNamespaceRule() = default;
|
||||
|
||||
|
@ -25,7 +25,7 @@ public:
|
|||
virtual Type type() const override { return Type::Namespace; }
|
||||
|
||||
private:
|
||||
CSSNamespaceRule(JS::Realm&, Optional<StringView> prefix, StringView namespace_uri);
|
||||
CSSNamespaceRule(JS::Realm&, Optional<DeprecatedString> prefix, StringView namespace_uri);
|
||||
|
||||
virtual void initialize(JS::Realm&) override;
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue